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(54) Cryptographic puzzle cancellation service for deterring bulk electronic mail messages 



(57) Methods and systenns are provided for a can- 
cellation server nnaintaining a database of identifiers of 
cryptographic puzzles. A cryptographic puzzle is creat- 
ed fronn a unique identifier and a tinnestannp, and is at- 
tached to an electronic nnail nnessage, along with the 
puzzle's solution. The recipient verifies that the solution 
is correct and that the tinnestannp is current, and further 
queries the cancellation server with the puzzle identifier. 
If the identifier does not exist in the database, then the 
recipient knows the received message is legitinnate. If 
the identifier already appears in the database, the re- 
ceived nnessage can be autonnatically rennoved fronn the 
recipient's connputer. 
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Description 

FIELD OF THE INVENTION 

[0001 ] This invention pertains generally to the field of 
distributed computing and nnore particularly to systenns 
and methods for reducing unwanted behavior, such as 
sending unsolicited electronic messages en masse, 
over a computer network, such as the Internet. 

BACKGROUND OF THE INVENTION 

[0002] Electronic messaging, particularly electronic 
mail (e-mail) carried over the Internet, has become a 
preferred method of communication for many individu- 
als and organizations. Unfortunately, e-mail recipients 
are increasingly being subjected to unsolicited and un- 
wanted mass mailings. With the growth of Internet- 
based commerce, a wide and growing variety of elec- 
tronic merchandisers are repeatedly sending unsolicit- 
ed mail advertising their products and services to an ev- 
er-expanding universe of e-mail recipients. For exam- 
ple, users of the Internet who merely provide their e-mail 
addresses in response to perhaps innocuous appearing 
requests for visitor information generated by various 
web sites, often find, later upon receipt of unsolicited 
mail and much to their displeasure, that they have been 
included on electronic distribution lists. This can have a 
negative effect on the users' experiences and can di- 
minish the productivity of users who receive such un- 
wanted e-mail, or "spam", at their place of business. 
[0003] Once a recipient finds himself on an electronic 
mailing list, that individual cannot readily, if at all, remove 
his address from it, thus effectively guaranteeing that he 
or she will continue to receive unsolicited mail. This oc- 
curs simply because the sender either prevents a recip- 
ient of a message from identifying the sender of that 
message (such as by sending mail through a proxy serv- 
er) and hence precludes that recipient from contacting 
the sender in an attempt to be excluded from a distribu- 
tion list, or simply ignores any request previously re- 
ceived from the recipient to be so excluded. 
[0004] An individual can easily receive hundreds or 
thousands of pieces of unsolicited ordinary postal mail 
over the course of a year, or less. As bad as that is, given 
the extreme ease and insignificant cost through which 
electronic distribution lists can be readily exchanged 
and e-mail messages disseminated across extremely 
large numbers of addressees, asingle e-mail addressee 
included on several distribution lists can expect to re- 
ceive a considerably larger number of unsolicited email 
messages over a much shorter period of time. Further- 
more, while many unsolicited e-mail messages are be- 
nign, others, such as pornographic, inflammatory and 
abusive material, are highly offensive to their recipients. 
Some (viruses) are even harmful to computers. All such 
unsolicited messages collectively constitute so-called 
"junk" mail or "spam". 



[0005] One proposed method of addressing the junk- 
email problem requires a digital "postage stamp" to be 
attached to an e-mail message. More generally, these 
stamps can constitute a "proof of work." The basic idea 

5 can be summarized as follows: Whenever a sender 
transmits e-mail to an intended recipient, a digital post- 
age stamp will be generated. Unlike physical postage, 
the sender does not spend money but instead spends 
GPU cycles or other computer system resources by 

10 solving a puzzle, the solution to which becomes a post- 
age stamp. The theory is that the economics of bulk e- 
mail changes when e-mail is required to have postage. 
A single digital postage stamp is not hard to create, re- 
quiring perhaps a few seconds of computing time. Bulk 

15 e-mailers, however, rely on being able to send thou- 
sands or hundreds of thousands, or more, of messages 
very quickly; if they need to calculate postage stamps 
for every message, it will slow them down and consume 
GPU resources. Making spam more expensive in this 

20 manner is intended to deter spammers from operating, 
since a sender of a bulk e-mail in such a scheme must 
spend significant computational resources - at a real 
cost - in order to send a mass mailing, while the cost to 
each recipient is negligible. Another advantage to 

25 putting electronic postage on e-mail is that it can also 
be used as a key for filtering out spam. By adding an 
easily detectable and verifiable postage stamp, users 
would be able to filter out e-mail that does not have this 
postage stamp. 

30 [0006] In some known digital postage systems, the 
stamp takes the form of a cryptographic puzzle and so- 
lution. The puzzles are mathematical problems pos- 
sessing the general quality that they are moderately dif- 
ficult to solve (i.e., they require more than a nominal 

35 amount of time and computing power), yet are easy to 
verify once the solution is in hand. Several researchers 
have investigated mathematical functions with the de- 
sired qualities, as well as protocols and systems for ef- 
fectuating the use of cryptographic puzzles as digital 

40 postage stamps. These researchers include: Dwork and 
Naor, who proposed the use of cryptographic puzzles 
as a deterrent to unwanted email ("Pricing via Process- 
ing or Gombatting Junk Mail," Lecture Notes in Compu- 
ter Science 740 (Proceedings of GRYPTO '92), 1993, 

45 pp. 137-147; Adam Back, who later proposed Hasfi 
Cast) for use in protecting mailing lists and in stopping 
denial-of-service attacks (see "Hashcash - a Denial of 
Service Gounter-Measure, August 2002, available from 
http://cypherspace.org/~adam/hashcash/); Abadi, et 

50 al., who researched particularly useful mathematical 
functions ("Moderately Hard, memory-bound Func- 
tions", Proceedings of tlie 10^^ Annuai Networf< and Dis- 
tributed System Security Symposium, February 2003); 
and Dwork et al., who conducted similar research ("On 

55 Memory-Bound Functions for Fighting Spam", Proceed- 
ings of tiie 23'^^ Annuai Internationai Cryptoiogy Confer- 
ence (GRYPTO 2003), August 2003). The above refer- 
ences are hereby incorporated by reference in their en- 
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tirety for all that they teach without exclusion of any parts 
thereof 

[0007] One problenn with digital postage is ensuring 
that a cryptographic puzzle-solution used as a stannp for 
one email nnessage cannot be re-used as a stannp for a 5 
second ennail nnessage. If puzzle-solutions are allowed 
to be re-used, an ill-intended email sender could copy 
one puzzle-solution for use in multiple messages, and 
the recipients would have no way of knowing these mes- 
sages were illegitimate. Some existing digital postage io 
systems, such as those of the aforementioned 
Dwork-Naorand HashCash, address this problem by in- 
sisting that the puzzle be a mathematical function of the 
message itself The puzzle-solution in such systems is 
thus uniquely tied to the message. Although these sys- ^5 
tems preclude a puzzle-solution from being re-used, 
they necessarily require that the message has already 
been composed prior to the puzzle-solution's creation. 
[0008] Other known digital postage systems address 
this limitation by use of a "ticket server." The ticket server 20 
is a centralized serverthat generates cryptographic puz- 
zles offline. An email sender obtains a ticket by, for ex- 
ample, solving a cryptographic puzzle. The ticket is at- 
tached to an email message intended for a recipient, 
who then verifies the ticket's validity by checking with 25 
the centralized ticket server. The ticket server "cancels" 
used tickets to ensure that the same ticket cannot be 
used more than once. Although these systems allow for 
creating digital postage prior to message composition, 
they require the email sender and recipient to use and 50 
trust the same centralized server. Such a ticket server 
system is described by M. Abadi, A. Birrell, M. Burrows, 
F. Dabek, and T Wobber, in Bankable Postage for Net- 
work Services, Proceedings of the 8th Asian Computing 
Science Conference, Mumbai, India, December 2003, 35 
which is hereby incorporated by reference in its entirety 
for all that it teaches without exclusion of any part there- 
of. 

BRIEF SUMMARY OF THE INVENTION 40 

[0009] Embodiments of the present invention provide 
methods and systems for using a cancellation server to 
facilitate the checking of cryptographic puzzles in order 
to deter the sending of bulk electronic mail messages. 45 
Illustrative embodiments pertain to a system whereby 
the sender of email is required to attach a "stamp" in the 
form of a randomly generated cryptographic puzzle. 
Due to their mathematical properties, significant com- 
putational resources are required to generate each puz- 50 
zle. Sending an email to a large number of recipients 
therefore is computationally expensive if stamps are re- 
quired for delivery. To effectuate the system, embodi- 
ments of the invention employ a cancellation server to 
ensure that the "stamps" are "cancelled" and not re- 55 
used. The stamps can be generated prior to composing 
the email messages, and the sender does not need to 
obtain a ticket or any information from the cancellation 



server or any other centralized server. 
[0010] Generally, in embodiments of the invention, a 
cryptographic puzzle is created from a unique identifier 
and atimestamp, and is attached to a digital object, such 
as an electronic mail message, along with the puzzle's 
solution. The recipient of the object verifies that the so- 
lution is correct, the timestamp is current and that the 
timestamp and identifier correspond to the puzzle. The 
recipient further queries the cancellation server with the 
puzzle identifier and timestamp. If the identifier is truly 
unique, then it does not exist in the database, and the 
recipient knows the received object is legitimate. If the 
identifier is not unique, then it may already appear in the 
database, and the received object can be automatically 
removed from the recipient's computer. The invention 
thus provides advantages over the prior art, as it allows 
individual message senders to generate cryptographic 
puzzles independently, solve the puzzles attheirleisure, 
and subsequently attach them to electronic mail mes- 
sages. Unlike prior systems, the puzzles are independ- 
ent from the attached messages, and do not need to be 
generated by a trusted independent source. 
[0011] Furthermore, in some embodiments, multiple 
cancellation servers are used. The multiple cancellation 
servers act independently, query each other, or share 
databases of cancelled identifiers. 
[0012] In one aspect of the invention, a cancellation 
server is provided for canceling cryptographic puzzles, 
the puzzles associated with identifiers, for use in a digital 
delivery system comprising an intended recipient of a 
digital object including a cryptographic puzzle, the can- 
cellation server in connection with at least one data- 
base, and executing the steps of receiving the identifier 
associated with the recipient's puzzle, querying the at 
least one database with the identifier, and canceling the 
recipient's puzzle if the query fails, by causing an entry 
to be stored in the at least one database, wherein the 
entry comprises the identifier or information derived 
from the identifier. In one embodiment, the puzzles are 
further associated with timestamps, the server further 
executing the step of receiving the timestamp associat- 
ed with the recipient's puzzle, and wherein the entry to 
be stored in the at least one database if the query fails 
further comprises the timestamp or information derived 
from the timestamp. In another embodiment, the can- 
cellation server is in connection with a second cancel- 
lation server for providing data in the at least one data- 
base to the second cancellation server. In some embod- 
iments, the digital object is an electronic mail message. 
[0013] In accordance with another aspect of the in- 
vention, a puzzle checker is provided for verifying solu- 
tions to cryptographic puzzles, the puzzles associated 
with identifiers and timestamps, for use in a digital de- 
livery system comprising an intended recipient of a dig- 
ital object including a cryptographic puzzle and solution, 
the puzzle checker in connection with at least one can- 
cellation server, and executing the steps of transmitting 
the identifier associated with the puzzle to the at least 
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one cancellation server, and rennoving the digital object 
if a REJECT response is received fronn the at least one 
cancellation server. In one ennbodinnent, the puzzle 
checker further executes the steps of verifying whether 
the solution solves the puzzle, and rennoving the digital 
object if the solution does not solve the puzzle. In an- 
other ennbodinnent, the puzzle checker further executes 
the steps of confirnning whether the tinnestamp is within 
a threshold range, and rennoving the digital object if the 
tinnestannp is outside the threshold range. In one ver- 
sion, the puzzle checker resides at the intended recipi- 
ent. In another version, the puzzle checker resides at 
an internnediary server. 

[0014] In accordance with another aspect of the in- 
vention, a puzzle creator is provided for generating and 
solving cryptographic puzzles for use in a digital delivery 
systenn connprising a puzzle checker in connection with 
at least one cancellation server and an intended recipi- 
ent of a digital object including a cryptographic puzzle 
and solution, the puzzle creator executing the steps of 
generating an identifier, generating a tinnestannp, gener- 
ating a cryptographic puzzle using the identifier and 
tinnestannp, and computing a solution to the crypto- 
graphic puzzle, whereby the puzzle, solution, tinnestannp 
and identifier are attached to the digital object for deliv- 
ery to the intended recipient. 

[0015] In accordance with another aspect of the in- 
vention, annethod is provided for canceling cryptograph- 
ic puzzles, the puzzles associated with identifiers, for 
use in a digital delivery systenn connprising at least one 
database in connection with a first cancellation server 
and an intended recipient of a digital object including a 
cryptographic puzzle, the nnethod connprising the steps 
of receiving the identifier associated with the recipient's 
puzzle, querying the at least one database with the iden- 
tifier, and canceling the intended recipient's puzzle if the 
query fails, by causing an entry to be stored in the at 
least one database, wherein the entry connprises the 
identifier or infornnation derived fronn the identifier. 
[0016] In accordance with another aspect of the in- 
vention, a connputer-readablennediunn including connpu- 
ter-executable instructions is provided for facilitating the 
cancellation of cryptographic puzzles, the puzzles as- 
sociated with identifiers, for use in a digital delivery sys- 
tem comprising at least one database in connection with 
a first cancellation server and an intended recipient of a 
digital object including a cryptographic puzzle, said 
computer-executable instructions executing the steps of 
receiving the identifier associated with the recipient's 
puzzle, querying the at least one database with the iden- 
tifier, and canceling the intended recipient's puzzle if the 
query fails, by causing an entry to be stored in the at 
least one database, wherein the entry comprises the 
identifier or information derived from the identifier. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0017] While the appended claims set forth the fea- 



tures of the present invention with particularity, the in- 
vention and its advantages are best understood from the 
following detailed description taken in conjunction with 
the accompanying drawings, of which: 
5 [0018] Figure 1 is a simplified schematic diagram il- 
lustrating an exemplary architecture of a computing de- 
vice for carrying out a cancellation service for crypto- 
graphic puzzles, in accordance with an embodiment of 
the invention; 

10 [0019] Figure 2 is an exemplary network communica- 
tion arrangement including a cancellation service, in ac- 
cordance with an embodiment of the invention; 
[0020] Figures 3a and 3b illustrate exemplary compo- 
nent architectures for use in canceling cryptographic 

15 puzzles, in accordance with an embodiment of the in- 
vention; 

[0021] Figure 4 illustrates a distributed system of mul- 
tiple cancellation servers, in accordance with an embod- 
iment of the invention; 

20 [0022] Figure 5 depicts a network diagram showing 
an example of sending a single message intended for 
multiple recipients, using multiple cryptographic puzzles 
and multiple cancellation servers, in accordance with an 
embodiment of the invention; 

25 [0023] Figure 6 is a flow diagram illustrating a method 
forchecking cryptographic puzzles, according to an em- 
bodiment of the invention; and 

[0024] Figure 7 is a flow diagram illustrating a method 
for operating a cancellation server, according to an em- 
30 bodiment of the invention. 

DETAILED DESCRIPTION OF THE INVENTION 

[0025] The methods and systems supporting a can- 

35 cellation service for cryptographic puzzles will now be 
described with respect to a number of embodiments; 
however, the methods and systems of the invention are 
not limited to the illustrated embodiments. Moreover, the 
skilled artisan will readily appreciate that the methods 

40 and systems described herein are merely exemplary 
and that variations can be made without departing from 
the spirit and scope of the invention. 
[0026] The invention will be more completely under- 
stood through the following detailed description, which 

45 should be read in conjunction with the attached draw- 
ings. In this description, like numbers refer to similar el- 
ements within various embodiments of the present in- 
vention. The invention is illustrated as being implement- 
ed in a suitable computing environment. Although not 

50 required, the invention will be described in the general 
context of computer-executable instructions, such as 
procedures, being executed by a personal computer. 
Generally, procedures include program modules, rou- 
tines, functions, programs, objects, components, data 

55 structures, etc. that perform particular tasks or imple- 
ment particular abstract data types. Moreover, those 
skilled in the art will appreciate that the invention may 
be practiced with other computer system configurations. 
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including liand-held devices, nnultiprocessor systenns, 
nnicroprocessor based or progrannnnable consunner 
electronics, network PCs, nniniconnputers, nnainfranne 
connputers, and the like. The invention nnay also be prac- 
ticed in distributed connputing environnnents where 
tasks are perfornned by rennote processing devices that 
are linked through a comnnunications network. In a dis- 
tributed connputing environnnent, progrann nnodules may 
be located in both local and rennote nnennory storage de- 
vices. The ternn connputer systenn nnay be used to refer 
to a systenn of connputers such as nnay be found in a 
distributed connputing environnnent. 
[0027] Figure 1 illustrates an exannple of a suitable 
connputing systenn environnnent 1 00 on which the inven- 
tion nnay be innplennented. The connputing systenn envi- 
ronnnent 1 00 is only one exannple of a suitable connput- 
ing environnnent and is not intended to suggest any linn- 
itation as to the scope of use or functionality of the in- 
vention. Neither should the connputing environnnent 1 00 
be interpreted as having any dependency or require- 
nnent relating to any one or connbination of connponents 
illustrated in the exennplary operating environnnent 1 00. 
Although one embodiment of the invention does include 
each component illustrated in the exemplary operating 
environment 100, another more typical embodiment of 
the invention excludes non-essential components, for 
example, inputloutput devices otherthan those required 
for network communications. 

[0028] With reference to Figure 1 , an exemplary sys- 
tem for implementing the invention includes a general 
purpose computing device in the form of a computer 
1 1 0. Components of the computer 1 1 0 may include, but 
are not limited to, a processing unit 1 20, a system mem- 
ory 1 30, and a system bus 121 that couples various sys- 
tem components including the system memory to the 
processing unit 120. The system bus 121 may be any 
of several types of bus structures including a memory 
bus or memory controller, a peripheral bus, and a local 
bus using any of a variety of bus architectures. By way 
of example, and not limitation, such architectures in- 
clude Industry Standard Architecture (ISA) bus. Micro 
Channel Architecture (MCA) bus. Enhanced ISA (EISA) 
bus. Video Electronics Standards Association (VESA) 
local bus, and Peripheral Component Interconnect 
(PCI) bus also known as Mezzanine bus. 
[0029] The computer 110 typically includes a variety 
of computer readable media. Computer readable media 
can be any available media that can be accessed by the 
computer 1 1 0 and includes both volatile and nonvolatile 
media, and removable and non-removable media. By 
way of example, and not limitation, computer readable 
media may comprise computer storage media and com- 
munication media. Computer storage media includes 
volatile and nonvolatile, removable and non-removable 
media implemented in any method or technology for 
storage of information such as computer readable in- 
structions, data structures, program modules or other 
data. Computer storage media includes, but is not lim- 



ited to, RAM, ROM, EEPROM, flash memory or other 
memory technology, CD-ROM, digital versatile disks 
(DVD) or other optical disk storage, magnetic cassettes, 
magnetic tape, magnetic disk storage or other magnetic 

5 storage devices, or any other medium which can be 
used to store the desired information and which can be 
accessed by the computer 1 1 0. Communication media 
typically embodies computer readable instructions, data 
structures, program modules or other data in a modu- 
lo lated data signal such as a carrier wave or other trans- 
port mechanism and includes any information delivery 
media. The term "modulated data signal" means a sig- 
nal that has one or more of its characteristics set or 
changed in such a manner as to encode information in 

15 the signal. By way of example, and not limitation, com- 
munication media includes wired media such as a wired 
network or direct-wired connection, and wireless media 
such as acoustic, RF, infrared and other wireless media. 
Combinations of the any of the above are also included 

20 within the scope of computer readable media. 

[0030] The system memory 130 includes computer 
storage media in the form of volatile and/or nonvolatile 
memory such as read only memory (ROM) 131 and ran- 
dom access memory (RAM) 132. A basic input/output 

25 system 133 (BIOS), containing the basic routines that 
help to transfer information between elements within 
computer 1 1 0, such as during start-up, is typically stored 
in ROM 131. RAM 132 typically contains data and/or 
program modules that are immediately accessible to 

30 and/or presently being operated on by processing unit 
120. Byway of example, and not limitation. Figure 1 il- 
lustrates operating system 134, application programs 
1 35, other program modules 1 36 and program data 1 37. 
[0031] The computer 110 may also include other re- 

35 movable/non-removable, volatile/nonvolatile computer 
storage media. By way of example only, Figure 1 illus- 
trates a hard disk drive 141 that reads from or writes to 
non-removable, nonvolatile magnetic media, a magnet- 
ic disk drive 151 that reads from or writes to a remova- 

40 ble, nonvolatile magnetic disk 152, and an optical disk 
drive 1 55 that reads from or writes to a removable, non- 
volatile optical disk 1 56 such as a CD ROM or other op- 
tical media. Other removable/non-removable, volatile/ 
nonvolatile computer storage media that can be used in 

45 the exemplary operating environment include, but are 
not limited to, magnetic tape cassettes, flash memory 
cards, digital versatile disks, digital video tape, solid 
state RAM, solid state ROM, SmartCards, SecureDigital 
cards, SmartMedia cards, CompactFlash cards and the 

50 like. The hard disk drive 141 is typically connected to 
the system bus 121 through a non-removable memory 
interface such as interface 1 40, and magnetic disk drive 
151 and optical disk drive 155 are typically connected 
to the system bus 121 by a removable memory inter- 

55 face, such as interface 150. 

[0032] The drives and their associated computer stor- 
age media, discussed above and illustrated in Figure 1 , 
provide storage of computer readable instructions, data 



5 



9 



EP 1 580 945 A2 



10 



structures, program modules and other data for the 
computer 110. In Figure 1 , for example, hard disk drive 
141 is illustrated as storing operating system 144, ap- 
plication programs 145, other program modules 146 and 
program data 1 47. Note that these components can ei- 
ther be the same as or different from operating system 
134, application programs 135, other program modules 
136, and program data 137. Operating system 144, ap- 
plication programs 145, other program modules 146, 
and program data 1 47 are given different numbers here- 
to illustrate that, at a minimum, they are different copies. 
A user may enter commands and information into the 
computer 1 1 0 through input devices such as a tablet, or 
electronic digitizer, 164, a microphone 163, a keyboard 
162 and pointing device 161 , commonly referred to as 
a mouse, trackball ortouch pad. Other input devices (not 
shown) may include a joystick, game pad, satellite dish, 
scanner, or the like. These and other input devices are 
often connected to the processing unit 120 through a 
user input interface 160 that is coupled to the system 
bus, but may be connected by other interface and bus 
structures, such as a parallel port, game port or a uni- 
versal serial bus (USB). A monitor 191 or other type of 
display device is also connected to the system bus 1 21 
via an interface, such as a video interface 1 90. The mon- 
itor 1 91 may also be integrated with a touch-screen pan- 
el or the like. Note that the monitor and/or touch screen 
panel can be physically coupled to a housing in which 
the computing device 110 is incorporated, such as in a 
tablet-type personal computer. In addition, computers 
such as the computing device 1 1 0 may also include oth- 
er peripheral output devices such as speakers 1 97 and 
printer 1 96, which may be connected through an output 
peripheral interface 194 or the like. 
[0033] The computer 1 1 0 may operate in a networked 
environment using logical connections to one or more 
remote computers, such as a remote computer 1 80. The 
remote computer 180 may be a personal computer, a 
server, a router, a network PC, a peer device or other 
common network node, and typically includes many or 
all of the elements described above relative to the com- 
puter 1 1 0, although only a memory storage device 1 81 
has been illustrated in Figure 1 . The logical connections 
depicted in Figure 1 include a local area network (LAN) 
1 71 and a wide area network (WAN) 1 73, but may also 
include other networks. Such networking environments 
are commonplace in offices, enterprise-wide computer 
networks, intranets and the Internet. For example, in the 
present invention, the computer 110 may comprise the 
source machine from which data is being migrated, and 
the remote computer 1 80 may comprise the destination 
machine. Note howeverthat source and destination ma- 
chines need not be connected by a network or any other 
means, but instead, data may be migrated via any media 
capableof being written by the source platform and read 
by the destination platform or platforms. 
[0034] When used in a LAN networking environment, 
the computer 1 1 0 is connected to the LAN 1 71 through 



a network interface or adapter 170. Alternatively, the 
computer 1 1 0 contains a wireless LAN network interface 
operating on, for example, the 802.11b protocol, allow- 
ing the computer 1 1 0 to connect to the LAN 1 71 without 

5 a physical connection. When used in a WAN networking 
environment, the computer 110 typically includes a mo- 
dem 172 or other means for establishing communica- 
tions over the WAN 1 73, such as the Internet. The mo- 
dem 1 72, which may be internal or external, may be con- 

10 nected to the system bus 1 21 via the user input interface 
160 or other appropriate mechanism. Alternatively, the 
computer 110 contains a wireless WAN network inter- 
face operating over, for example, the General Packet 
Radio Service (GPRS), allowing the computer 110 to 

15 connect to the WAN 1 73 without a physical connection. 
In a networked environment, program modules depicted 
relative to the computer 1 1 0, or portions thereof, may be 
stored in the remote memory storage device. By way of 
example, and not limitation. Figure 1 illustrates remote 

20 application programs 1 85 as residing on memory device 
181. It will be appreciated that the network connections 
shown are exemplary and other means of establishing 
a communications link between the computers may be 
used. Additionally, variations of the computer 110 may 

25 be incorporated into other exemplary systems for imple- 
mentingthe invention, such as cellular phones, personal 
digital assistants, and the like. 

[0035] Computing devices incorporating the invention 
may resemble the computing device illustrated in Figure 

30 1, or may comprise alternative arrangements. The in- 
vention is potentially incorporated into computing devic- 
es/machines used in a variety of networking environ- 
ments. Turning to Figure 2, a simple example of a net- 
working environment is depicted wherein the invention 

35 can be exploited. In the illustrative environment, an elec- 
tronic mail message is created on a first computer 202 
using a mail application 204, such as, for example, Mi- 
crosoft Outlook or Microsoft Outlook Express. A puzzle 
creator-solver 205 on the first computer 202 uses a 

40 timestamp and a globally unique identifier to create and 
solve a cryptographic puzzle to be transmitted to the re- 
cipient of the electronic mail message. The puzzle pref- 
erably is from a class of puzzles that require a moderate 
amount of computational power to solve (requiring an 

45 amount of time, for example, on the order of a several 
seconds on the fastest commercially available comput- 
ers), yet their solutions can be verified with only slight 
computational power. Such cryptographic puzzles are 
described more fully in, for example, the aforemen- 

50 tioned Dwork and Naor and HashCash. Alternatively, 
the puzzle creator-solver is located remotely at, for ex- 
ample, a trusted independent puzzle creation server. In 
this alternative arrangement, a trusted independent au- 
thority distributes pre-solved puzzles in exchange for 

55 money, or, for example, as a customer incentive. An ex- 
emplary scheme for distributing pre-solved puzzles us- 
es a class of puzzles that contains a trap-door, such as 
the Dwork-Naor scheme. 
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[0036] The electronic mail message, puzzle and so- 
lution are combined with the timestamp and a unique 
identifier to collectively form a package, which is sent 
from the computer 202 to a mail server 206, typically 
located at the Internet Service Provider (ISP) providing 
internet access to the computer 202. The mail server 
206 uses a mail transport agent (MTA) 208 operating a 
mail sending protocol such as SMTP to transmit the 
package over the Internet 210, eventually reaching a 
mail server 21 2 located at the ISP providing internet ac- 
cess to the recipient's computer 214. The mail server 
212 uses a MTA 21 6 operating a mail delivery protocol 
such as IMAP to deliver the package to a mail applica- 
tion 21 8 on the recipient computer 214. The mail appli- 
cation 214 opens the package and uses a puzzle check- 
er 220 to verify that the included solution indeed solves 
the included puzzle and that the timestamp is within a 
given range to ensure the puzzle was recently generat- 
ed. The timestamp used by the puzzle creator-solver is 
preferably coarsely grained, accurate only to the gran- 
ularity of hours or days. 

[0037] The recipient computer 21 4 further checks that 
the cryptographic puzzle has not been used in associa- 
tion with other mail messages by using a cancellation 
server 222. The cancellation server 222 stores in a da- 
tabase 224 the unique identifiers and timestamps of 
cryptographic puzzles, preferably by storing a hashed 
value, or other information derived from the unique iden- 
tifiers and timestamps, to conserve data storage. Alter- 
natively, a data structure stores cancellation information 
forthe puzzles for use in conjunction with a Bloom filter. 
The recipient computer 214 preferably establishes an 
authenticated connection to the cancellation server 222, 
and transmits the unique identifier and timestamp from 
the received package to the cancellation server 222 via 
the Internet 210. The cancellation server 222 verifies 
that the recipient's unique identifier does not exist in the 
database 224, and notifies the recipient's computer 21 4 
that the puzzle is valid. The cancellation server222then 
adds the unique identifier and timestamp to the data- 
base 224 to prevent future messages from using the 
particular puzzle. By using cryptographic puzzles with a 
cancellation server in this manner, a recipient of an elec- 
tronic mail message has confidence that the message 
has been individually created for his receipt. If the can- 
cellation server 222 is very active and cancels in its da- 
tabase 224 a large number of puzzles for a large number 
of users, then the probability that an illegitimate puzzle 
(i.e., one containing a reused puzzle) goes undetected 
becomes small. 

[0038] There are numerous ways for a puzzle creator- 
solver 205 to generate an identifier that is, with high 
probability, globally unique. For example, if a strong ran- 
dom number generator is available, the puzzle creator- 
solver 205 simply generates random numbers of suffi- 
cient length. Alternatively, an unrelated, but intrinsic 
property of the computer 202 is used to guarantee that 
the sequence of identifiers from this computer does not 



clash with any others. For example, in one embodiment 
the puzzle creator-solver 205 concatenates a 48-bit Eth- 
ernet MAC address of the computer 202 and 80 random 
bits. Sufficient randomness is used so that it will be pro- 

5 hibitively difficult for an attacker to guess an identifier 
that a legitimate generator might create. 
[0039] Turning attention to Figure 3a, an embodiment 
of the invention is shown where the puzzle creator-solv- 
er and puzzle checker are located at the respective com- 

10 puters of the message sender and message recipient. 
In this embodiment, the sender's computer executes a 
mail application 302 and a puzzle creator-solver 304, 
which work in concert with one another. In one embod- 
iment, a user generates a mail message using the mail 

15 application 302 and executes a "send" command by, for 
example, clicking a button labeled "Send" on the mail 
application's 302 user interface. The mail application 
302, prior to actually sending the message, calls the 
puzzle creator-solver 304 to generate and solve a cryp- 
to tographic puzzle. The puzzle creator-solver 304 gener- 
ates a unique identifier and timestamp and uses them 
to create a cryptographic puzzle, which it then solves. 
The puzzle creator-solver 304 pass the puzzle, solution, 
timestamp and unique identifier back to the mail appli- 

25 cation 302. The mail application 302 attaches the puz- 
zle, solution, timestamp and unique identifierto the mes- 
sage, and transmits the message with attachments to a 
mail transport agent (MTA) 306, typically located at the 
sender's ISP. In one embodiment, the puzzle creator- 

30 solver 304 generates puzzles in an offline process, so 
that a pre-generated puzzle/solution is immediately 
available and only minimal delay is required forthe mail 
application 302 to transmit the message to the MTA 306. 
[0040] Through standard electronic mail processing 

35 operations, the message is routed from the sender's 
MTA 306 to the recipient's MTA 308. The message is 
then downloaded to a mail application 31 0 operated by 
the recipient. The recipient's mail application 310 calls 
a puzzle checker 312 to verify that the attached puzzle 

40 is legitimate. The puzzle checker 312 verifies that the 
attached solution solves the puzzle and that the times- 
tamp is within a given range to ensure it was recently 
generated. The puzzle checker 31 2 then communicates 
with a cancellation server 31 4 to confirm that the puzzle 

45 has not been used for other electronic mail messages. 
The puzzle checker 31 2 sends the unique identifier and 
timestamp of the message to the cancellation server 
314, which looks up the unique identifier in its database 
31 6. If the identifier already exists in the database, then 

50 the cancellation server 31 4 tells the puzzle checker 31 2 
that the puzzle is not valid. The puzzle checker 312 in 
turn informs the mail application 31 0 that the associated 
message is not valid, so that it is likely a mass email and 
should be deleted. In this way, the mail application 31 0 

55 automatically deletes illegitimate mass emails without 
user intervention. If the unique identifier does not al- 
ready exist in the database 31 6, however, then the can- 
cellation server314tellsthe puzzlechecker312 thatthe 
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puzzle is valid, while adding the unique identifier to the 
database 31 6 to prevent future use of the identifier. Un- 
der this ennbodinnent of the invention, the MTAs 306 and 
308 require little or no special nnodification to facilitate 
the puzzle creation - solving - verification process. 
[0041] An alternative ennbodinnent is shown in Figure 
3b, wherethe puzzle creator-solver 350 is located at the 
sender's nnail transport agent 352, typically at the send- 
er's ISP. In this arrangennent, the sender's connputer ex- 
ecutes a nnail application 354. A user generates a nnail 
nnessage using the nnail application 354 and executes 
a "send" command by, for example, clicking a button la- 
beled "Send" on the mail application's 354 user inter- 
face. The mail application 354 transmits the message 
to the sender's MTA 352. The MTA calls the puzzle cre- 
ator-solver 350 to create and solve a cryptographic puz- 
zle. The puzzle creator-solver 350 generates a unique 
identifier and timestamp and uses them to create a cryp- 
tographic puzzle, which it then solves. The puzzle cre- 
ator-solver 350 passes the puzzle, solution, timestamp 
and unique identifier backto the MTA 352, which attach- 
es the puzzle, solution, timestamp and unique identifier 
to the message, and transmits the message according 
to a mail sending protocol such as SMTP. In one em- 
bodiment, the puzzle creator-solver 350 generates puz- 
zles in an offline process, so that a pre-generated puz- 
zle/solution is immediately available and only minimal 
delay is required for the MTA 352 to re-transmit the mes- 
sage. 

[0042] Through standard electronic mail processing 
operations, the message is routed from the sender's 
MTA 352 to the recipient's MTA 356. The MTA 356 calls 
a puzzle checker 358 to verify that the attached puzzle 
is legitimate. The puzzle checker 358 verifies that the 
attached solution solves the puzzle and that the times- 
tamp is within a range of recentness. The puzzle check- 
er 358 then communicates with a cancellation server 
360 to confirm that the puzzle has not been used for 
other electronic mail messages. The puzzle checker 
358 sends the unique identifier and timestamp of the 
message to the cancellation server 360, which looks up 
the unique identifier in its database 362. If the identifier 
already exists in the database, then the cancellation 
server 360 tells the puzzle checker 358 that the puzzle 
is not valid. The puzzle checker 358 in turn tells the MTA 
356 that the associated message is not valid, so that it 
is likely a mass email and should be deleted. In this way, 
the MTA 356 automatically deletes illegitimate mass 
emails prior to ever being received by the recipient. If 
the unique identifier does not already exist in the data- 
base 362, however, then the cancellation server 360 
tells the puzzle checker 358 that the puzzle is valid, 
while adding the unique identifier to the database 362 
to prevent future use of the identifier. The MTA 356, re- 
ceiving confirmation from the puzzle checker 358 that 
the puzzle is valid, transmits the message to the mail 
application 364 of the recipient. Under this embodiment 
of the invention, the mail applications 354 and 364 of 



the sender and recipient require no special modification 
to facilitate the puzzle creation - solving - verification 
process, and illegitimate mass emails are prevented 
from reaching recipients in a process that is transparent 

5 to the user. 

[0043] The present invention is not limited, however, 
to embodiments as illustrated in Figures 3a and 3b; oth- 
er combinations are possible For example, in an alter- 
native embodiment the puzzle creator-solver is located 

10 at the MTA of the sender while the puzzle checker is 
located atthe recipient's mail application. In another em- 
bodiment, the puzzle creator-solver is located at the 
sender's mail application while the puzzle checker is lo- 
cated at the MTA of the recipient. In still other embodi- 

15 ments, the puzzle checker is located at an intermediate 
server between the MTA of the sender and the MTA of 
the recipient, and the message is only forwarded to the 
recipient's MTA if the puzzle checker finds the message 
legitimate. 

20 [0044] In an exemplary arrangement, cancellation 
services are operated at large ISPs, such as MSN, AOL, 
EarthLink, etc., and such that mail destined foraccounts 
on those ISPs have their puzzles checked with the cor- 
responding cancellation service. This arrangement pro- 
25 vides advantages to ISPs, who are better able to ensure 
that their users do not receive illegitimate mass emails. 
An illegitimate email addressed to, for instance, multiple 
recipients at msn.com using a single cryptographic puz- 
zle would be delivered to only the first of the intended 
30 recipients - once the puzzle's unique identifier was en- 
tered into the database at the cancellation server, sub- 
sequent queries would show the puzzle invalid, and the 
message therefore illegitimate. 

[0045] In some embodiments, a puzzle checker com- 
35 municates with more than one cancellation server in or- 
der to increase the likelihood of detecting illegitimate 
email. Suppose, for example, that an email is sent to 
two different recipients, A and B, using identical crypto- 
graphic puzzles. If the two recipients use different can- 
40 cellation servers, then neither will detect the invalidity of 
the puzzle, and the message will be delivered to both 
recipients. If recipient A, however, checks not only with 
his own cancellation service, but with a second cancel- 
lation service that happens to be the cancellation serv- 
45 ice used by B, then A will detect the invalidity of the puz- 
zle from the second cancellation service (if user B, or 
another mass recipient of the puzzle, had previously 
checked there, entering the puzzle's unique identifier in- 
to the database). 
50 [0046] In other embodiments, multiple cancellation 
servers communicate with one anotherto distribute and/ 
or share data. One example of a distributed system of 
cancellation servers is shown in Figure4. Acoordinating 
cancellation server 402 acts as a central coordinating 
55 point for managing the distribution of data among sev- 
eral cancellation servers. When a puzzle checker 406 
queries one of the cancellation servers 404 with the 
unique identifier of a cryptographic puzzle, the queried 
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server 404 hashes the identifier and contacts the coor- 
dinating server 402. The coordinating server 402 checl<s 
to see which of the several cancellation servers 404 is 
responsible for the particular unique identifier, for exann- 
ple, based on the three least significant digits of the 
hashed value. The coordinating server 402 returns the 
address of the appropriate cancellation server 406 to the 
calling cancellation server 404, which in turn queries the 
appropriate cancellation server 406 directly. This and 
sinnilar techniques are thus used to distribute the load 
of identifiers across nnultiple cancellation servers. 
[0047] An alternative arrangement using nnultiple can- 
cellation servers provides for the sharing of infornnation 
between servers. For exannple, a cancellation server at 
one ISP regularly transfers the contents of its database 
to a cancellation server at a second ISP. When a puzzle 
checker queries the second cancellation server with a 
unique identifier, the identifier effectively searches the 
data fronn both cancellation servers with the single que- 
ry. This arrangennent thus reduces the nunnber of que- 
ries necessary to check nnultiple cancellation servers. 
Such an arrangennent is particularly useful if the partic- 
ipating cancellation servers are associated with popular 
ISPs and nnail routing agencies, such as Hotnnail and 
AOL. 

[0048] A sinnilar arrangennent using nnultiple cancella- 
tion servers is configured as a peer-to-peer (P2P) net- 
work. A P2P network of cancellation servers preferably 
does not contain a central organizing authority or hier- 
archy, but rather allows a puzzle checker to distribute 
its query annong a collection of cooperating nodes hold- 
ing the cancellation state. In one arrangennent, a collec- 
tion of peer nodes innplennents a distributed lookup serv- 
ice in which the cancellation database is distributed 
across a peer-to-peer network. Such a network of nodes 
innplennents a key-to-value nnapping function for a large 
collection of keys. In this case, puzzle identifiers are 
used as keys. If a nnapping exists for a given key, the 
corresponding puzzle has been cancelled. A preferred 
nnechanisnn for enabling such a P2P network is de- 
scribed in Stoica et al., "Chord: A Scalable Peer-to-peer 
Lookup Service for Internet Applications", Proceedings 
of the 2001 conference on applications, tectinoiogies, 
architectures, and protocols for computer communica- 
tions. 2001 , pp. 149-160, which is hereby incorporated 
by reference in its entirety for all that it teaches without 
exclusion of any part thereof 

[0049] Using nnultiple cancellation servers provides 
several benefits: each individual puzzle checker need 
not rely on the sanne collection of cancellation servers; 
cancellation servers trusted by a recipient need not be 
trusted by the sender; and, with sufficient redundancy 
annong the cancellation servers, a cancellation systenn 
could be hosted by nnutually suspicious neighbors fornn- 
ing a peer-to-peer network. 

[0050] In accordance with an embodiment of the in- 
vention, multiple puzzles and solutions are included in 
messages intended for multiple recipients. A preferred 



embodiment includes mail transport agents, such as 
SMTP servers, that make sure each copy of each mes- 
sage it sends has the correct number of puzzle-solu- 
tions. Since SMTP forwarders commonly need to ma- 

5 nipulate headers of the messages they forward, an 
SMTP forwarder is easily modified to ensure that unique 
puzzle-solutions are bundled with messages destined 
for different mail transport agents. For example, if a 
message is intended for 1 0 recipients at 5 different mail 

10 servers, and the message has 10 unique puzzle-solu- 
tions, then the SMTP server makes sure that two unique 
puzzle-solutions are bound with the message copy des- 
tined for each of the five mail servers. Similarly, when 
the target mail server delivers the destination messag- 

15 es, each recipient only receives a single unique puzzle- 
solution (in those embodiments where the puzzle check- 
ing is performed at the recipient's mail application). 
Each recipient preferably does not receive any puzzle- 
solutions that are received by other recipients of the 

20 message. This prevents a recipient from prematurely in- 
validating a copy of the message intended for another 
recipient by canceling the puzzle's unique identifier with 
a cancellation server. Additionally, by performing the 
puzzle-solution distribution at the mail transport agent 

25 level, a recipient does not need to determine which of 
the multiple puzzle-solutions is intendedfor him - a prob- 
lem worsened if some recipients are "hidden" using a 
blind carbon copy function. 

[0051] The strategy just described to ensure unique 

30 puzzle-solutions for individual recipients of a single 
email message is similarly employed by managers of 
distribution lists, in an embodiment of the invention. The 
message sender creates a sufficient number of puzzle- 
solutions and passes them to the distribution list man- 

35 ager along with his message to be distributed. The dis- 
tribution list manager then divides the puzzle-solutions 
between the copies of the message that it forwards to 
the distribution list subscribers. In this way, the sender 
creates puzzle-solutions for recipients who may not be 

40 known to him, but are subscribers to the distribution list 
and thus should therefore receive his message. 
[0052] Figure 5 illustrates an example of sending a 
message with multiple puzzle-solutions to multiple re- 
cipients, in accordance with an embodiment of the in- 

45 vention. A sender uses his mail application 502 to create 
a message intended for six recipients, and the puzzle 
creator-solver 504 generates six cryptographic puzzles 
and solutions, P/S 1-6 506. The message and puzzle- 
solutions 506 are transmitted to the sender's mail server 

50 508, which inspects the message header and notes that 
four different mail servers serve the six recipients. The 
sender's mail server 508 sends the message and two of 
the puzzle-solutions P/S 1-2 to a first mail server 510, 
one P/S 3 to a second mail server 512, one P/S 4 to a 

55 third mail server 514, and two P/S 5-6 to a fourth mail 
server 51 6. The first mail server 51 0 inspects the mes- 
sage header and delivers the message and one of the 
puzzle-solutions P/S 1 to a first recipient's mail applica- 
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tion 518, while delivering the message and the second 
of the puzzle-solutions P/S 2 to the second recipient's 
nnail application 520. The second nnail server 51 2 deliv- 
ers the nnessage and puzzle-solution P/S 3 to the third 
recipient's nnail application 522, while thethird nnail serv- 5 
er 51 4 delivers the nnessage and puzzle-solution P/S 4 
to the fourth recipient's mail application 524. Each of 
these recipients' mail application works with a puzzle 
checker that verifies that its respective puzzle-solution 
has not been cancelled in one or two cancellation serv- io 
ers 526 and 528. The fourth mail server 51 6 works with 
a puzzle checker 530 that communicates with the two 
cancellation servers 526 and 528. If the puzzle checker 
530 verifies that P/S 5 has not been cancelled, then the 
fourth mail server 51 6 delivers the message to the fifth ^5 
recipient's mail application 532. If the puzzle checker 
530 verifies that P/S 6 has not been cancelled, then the 
fourth mail server 51 6 delivers the message to the sixth 
recipient's mail application 534. 

[0053] Turning attention to Figure 6, a method for puz- 20 
zle checking is now described, in accordance with an 
embodiment of the invention. The method is performed 
by a puzzle checker, located preferably at either a re- 
cipient's mail application or at a mail server. The puzzle 
checker receives a message (or other digital object) 25 
along with a cryptographic puzzle, solution, unique puz- 
zle identifier and timestamp at step 602. The puzzle 
checker checks that the timestamp is valid at step 604, 
by, for example, comparing the timestamp to the current 
time with respect to some range threshold. If the times- 30 
tamp is outside the range threshold (e.g., it is too old, or 
it is far in the future to be plausibly explained by the 
clock-skew), then the puzzle checker rejects the mes- 
sage at step 606. Otherwise, the puzzle checker verifies 
that the solution solves the puzzle, and that the puzzle 35 
corresponds to the identifier and timestamp, at step 608. 
Due to the preferred nature of the cryptographic puzzles 
for use in the method, verification step 608 requires rel- 
atively little computational power and time. If the solution 
does not solve the puzzle, then the puzzle checker re- 40 
jects the message at step 606. Otherwise, the puzzle 
checker, at step 610, sends the unique identifier and 
timestamp to a cancellation service. Additionally, the 
puzzle checker sends, at step 610, a transaction iden- 
tifier, which is a large number generated by a random ^5 
or pseudo-random number generator, preferably great- 
er than 128 bits in length. If the puzzle checker does not 
receive a reply from the cancellation server within some 
user- or puzzle-checker set interval of time, then the 
puzzle checker resends the transaction identifier, 50 
unique identifier and timestamp at 610. The puzzle 
checker receives a reply from the cancellation service 
at step 612 and inspects the reply at step 614. If the 
cancellation server rejected the puzzle identifier, then 
the puzzle checker rejects the message at step 606. If 55 
the cancellation server did not reject the puzzle, the puz- 
zle checker decides if it is going to check with an addi- 
tional cancellation service at step 616. If so, the puzzle 



checker returns to step 610 where it sends the unique 
identifier and timestamp of the puzzle to the additional 
cancellation service, and the subsequent steps repeat. 
Otherwise, the puzzle checker accepts the message at 
step 618. 

[0054] With regard to step 606, some embodiments 
perform various actions on a message whose identifier 
has been rejected by a cancellation server. For exam- 
ple, one action performed in an embodiment of the in- 
vention discards and removes rejected messages from 
the system. An alternative action places a rejected mes- 
sage into a low-priority bin, allowing the recipientto sub- 
sequently view the message should he or she or she 
desire, or apply a spam filter to the message. For puzzle 
checkers residing at mail transfer agents, one action for 
rejecting the message is to cause it to be deleted and 
not delivered to the intended recipient. Alternatively, the 
puzzle checker does not cause the message to be re- 
moved, but rather marks it as having a rejected identifier. 
Preferably, the MTA marks the message by adding a 
new designated header field to the message, indicating 
the message identifier was rejected by a cancellation 
server. The MTA also removes any such designated 
header field that may have previously existed on the 
message. By reading the designated header field, 
downstream MTAs or mail applications can filter the 
message for spam, modify the message's priority set- 
ting, or perform other actions based on the cancellation 
server's rejection. The methods used to process mes- 
sages with rejected identifiers are preferably configured 
according to user, MTA or ISP preferences. 
[0055] Turning to Figure 7, a method for canceling a 
puzzle is now described, in accordance with an embod- 
iment of the invention. The method is preferably per- 
formed by a cancellation server in communication with 
a puzzle checker. The cancellation server receives a 
unique identifier, timestamp and transaction identifier of 
a cryptographic puzzle at step 702. At step 703, the can- 
cellation server checks if the transaction identifier al- 
ready exists in its database. If so, then the cancellation 
request is a duplicate request from, for example, a puz- 
zle checker that did not receive a response to its initial 
request due to a communications failure. The cancella- 
tion server accepts the puzzle at step 704 and transmits 
a notification of the acceptance to the calling puzzle 
checker. Otherwise, the transaction is new and at step 
705, the cancellation server hashes the unique identifier 
and looks it up in a hash table. The cancellation server 
determines, at step 706, whether the unique identifier 
exists in the hash table. If the unique identifier already 
exists in the hash table, then the puzzle is being reused, 
so the cancellation server rejects the puzzle at step 708, 
transmitting a notification of the rejection to the calling 
puzzle checker. Otherwise, the cancellation server de- 
cides whether to check an affiliated hash table at step 
709. The affiliated hash table is located, for example, at 
a remote cancellation server in communication with the 
present cancellation server. If no affiliated hash table is 
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to be checked, then the timestamp and hash of the 
unique identifier are stored in the cancellation server's 
hash table at step 710, and the cancellation server ac- 
cepts the puzzle at step 704, transnnitting a notification 
of the acceptance to the calling puzzle checker. Addi- 5 
tionally, the transaction identifier is stored at step 710, 
to allow the puzzle checker to requery the cancellation 
server should the notification of acceptance fail. The 
transaction identifier is stored for a linnited tinne, prefer- 
ably significantly shorter than the lifetinne of the puzzle io 
identifiers. Otherwise, the unique identifier is looked up 
in the affiliated hash table at step 714. At step 716, the 
cancellation server deternnines whether the unique 
identifier is entered in the affiliated hash table. If so, then 
the cancellation server rejects the puzzle at step 708. ^5 
Otherwise, the server returns to step 709 to deternnine 
whether another affiliated hash table is to be checked. 
[0056] Hash tables are preferably used in the nnethod 
of Figure 7 to allow for efficient storage of data, although 
any data structure nnay be used that is conducive to da- 20 
tabase functions. Furthernnore, the hash table is prefer- 
ably cleansed periodically by rennoving those entries 
whose t inn estamps are beyond a given threshold, forex- 
annple, fifteen days. This increases perfornnance of the 
cancellation server by reducing the size of the hash ta- 25 
ble. Furthernnore, rennoving sufficiently old entries gen- 
erally does not affect users because their puzzle check- 
ers likely will reject old nnessages prior to calling the can- 
cellation server, as described in the nnethod acconnpa- 
nying Figure 6. 30 
[0057] There is also a trade-off between the unique- 
ness of puzzle identifiers and the size of the data struc- 
ture required by a cancellation server. Snnaller identifiers 
require less storage, but risk a greater likelihood of non- 
uniqueness, resulting in "false positives" by the puzzle 35 
checker. The cost of a false positive depends on the par- 
ticular innplennentation of the puzzle checking systenn (e. 
g., Sonne puzzle checkers delete nnessages with non- 
unique identifiers, while sonne puzzle checkers do not 
delete the nnessages, but rather place thenn in low-pri- 40 
ority bins). This cost of false positives, in addition to the 
puzzle expiry tinne innplennented by a cancellation serv- 
er, are factors for consideration in choosing the length 
for unique identifiers. Although a 128-bit identifier, as 
described above with reference to Figure 2, presents a ^5 
low risk of false positives, snnaller identifiers are possible 
in practice. 

[0058] Ennbodinnents of the invention are not linnited 
to delivery of ennail nnessages. Ennbodinnents of the in- 
vention are applicable generally in order to control the 50 
rate of infornnation passing in distributed-systenns appli- 
cations where infornnation is digitally delivered. 
[0059] Ennbodinnents of the invention are not linnited 
to the use of cryptographic puzzles. As an alternative, 
for exannple, non-cryptographic puzzles such as Hunnan 55 
Interactive Proof (HIP) puzzles are used. An exemplary 
HIP contains a set of distorted characters displayed on 
the connputer nnonitor, and a user is asked to identify the 



characters. In an ennbodinnent of the invention, a third 
party generates such puzzles and encodes thenn such 
that another party checks the hunnan solution. Exannples 
of HIP puzzles are given by L. von Ahn, Manuel Blunn, 
and John Langford, in Telling Humans and Computers 
Apart, Connnnunications of the ACM, Feb 2004, Vol. 47. 
No. 2, which is hereby incorporated by reference in its 
entirety for all that it teaches without exclusion of any 
part thereof. 

[0060] In view of the nnany possible ennbodinnents to 
which the principles of the present invention nnay be ap- 
plied, it should be recognized that the embodiments de- 
scribed herein with respect to the drawing figures are 
meant to be illustrative only and should not be taken as 
limiting the scope of the invention. For example, those 
of skill in the art will recognize that the illustrated em- 
bodiments can be modified in arrangement and detail 
without departing from the spirit of the invention. Al- 
though the invention is described in terms of software 
modules or components, those skilled in the art will rec- 
ognize that such may be equivalently replaced by hard- 
ware components. Therefore, the invention as de- 
scribed herein contemplates all such embodiments as 
may come within the scope of the following claims and 
equivalents thereof 



Claims 

1. A cancellation server for canceling cryptographic 
puzzles, the puzzles associated with identifiers, for 
use in a digital delivery system comprising an in- 
tended recipient of a digital object including a cryp- 
tographic puzzle, the cancellation server in connec- 
tion with at least one database, and executing the 
steps of: 

receiving the identifier associated with the re- 
cipient's puzzle; 

querying the at least one database with the 
identifier; and 

canceling the intended recipient's puzzle if the 
query fails, by causing an entry to be stored in 
the at least one database, 

wherein the entry comprises the identifier or infor- 
mation derived from the identifier. 

2. The cancellation server of claim 1 further executing 
the step of transmitting an ACCEPT response if the 
query fails. 

3. The cancellation server of claim 1 further executing 
the step of transmitting a REJECT response if the 
query succeeds. 

4. The cancellation server of claim 1 wherein the puz- 
zles are further associated with timestamps, the 
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server further executing the step of receiving the 
tinnestannp associated with the recipient's puzzle, 
and wherein the entry to be stored in the at least 
one database if the queryfailsfurtherconnprisesthe 
tinnestannp or infornnation derived fronn the tinnes- 5 
tannp. 

5. The cancellation server of clainn 4 further executing 
the step of causing an entry to be removed fronn the 
database if its tinnestannp falls outside a threshold io 
range. 

6. The cancellation server of clainn 1 wherein querying 
the at least one database connprises connputing a 
hash of the identifier. ^5 

7. The cancellation server of clainn 6 further corre- 
sponding to a range of values for a peer-to-peer dis- 
tributed lookup service, and the identifier is hashed 

to a value within the range. 20 

8. The cancellation server of clainn 1 in connection with 
a second cancellation server for providing data in 
the at least one database to the second cancellation 
server. 25 

9. The cancellation server of clainn 1 in connection with 
a second cancellation server for querying at least 
one database associated with the second cancella- 
tion server. 30 

10. The cancellation server of clainn 9 wherein the can- 
cellation server and the second cancellation server 
communicate through a peer-to-peer network. 

35 

1 1 . The cancellation server of claim 1 wherein the dig- 
ital object is an electronic mail message. 

12. A puzzle checker for verifying solutions to crypto- 
graphic puzzles, the puzzles associated with iden- 40 
tifiers and timestamps, for use in a digital delivery 
system comprising an intended recipient of a digital 
object including a cryptographic puzzle and solu- 
tion, the puzzle checker in connection with at least 
one cancellation server, and executing the steps of: ^5 



13. The puzzle checker of claim 12 wherein processing 

the digital object comprises removing the digital ob- 55 
ject. 

14. The puzzle checker of claim 12 wherein processing 



the digital object comprises marking the digital ob- 
ject for subsequent filtering. 

1 5. The puzzle checker of claim 1 2 wherein processing 
the digital object comprises modifying the priority of 
the digital object. 

16. The puzzle checker of claim 12 further executing 
the steps of: 

verifying whether the solution solves the puz- 
zle; and 

processing the digital object if the solution does 
not solve the puzzle. 

17. The puzzle checker of claim 12 further executing 
the steps of: 

confirming whether the timestamp is within a 
threshold range; and 

processing the digital object if the timestamp is 
outside the threshold range. 

18. The puzzle checker of claim 12 further executing 
the step of: 

computing a hash of the identifier; 

wherein the transmitting step further comprises 
transmitting the identifier to the at least one cancel- 
lation server corresponding to the hash of the iden- 
tifier. 

19. The puzzle checker of claim 12 wherein the puzzle 
checker resides at the intended recipient. 

20. The puzzle checker of claim 12 wherein the puzzle 
checker resides at an intermediary server. 

21. The puzzle checker of claim 20 wherein the inter- 
mediary server transmits the object for delivery to 
the intended recipient only if a REJECT response 
is not received from the at least one cancellation 
server. 

22. A puzzle creator for generating and solving crypto- 
graphic puzzles for use in a digital delivery system 
comprising a puzzle checker in connection with at 
least one cancellation server and an intended recip- 
ient of a digital object including a cryptographic puz- 
zle and solution, the puzzle creator executing the 
steps of: 

generating an identifier; 

generating a timestamp; 

generating a cryptographic puzzle using the 

identifier and timestamp; and 

computing a solution to the cryptographic puz- 



40 



45 



transmitting the identifier associated with the 
puzzle to the at least one cancellation server; 
and 

processing the digital object if a REJECT re- 50 
sponse is received from the at least one can- 
cellation server. 
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zle; 

whereby the puzzle, solution, timestamp and iden- 
tifier are attached to the digital object for delivery to 
the intended recipient. 

23. The puzzle creator of claim 22 wherein the identifier 
connprises a string of randonn bits. 

24. The puzzle creator of clainn 22 wherein the identifier 
connprises a string of at least 128 bits. 

25. The puzzle creator of claim 22 wherein computing 
a solution to the cryptographic puzzle requires more 
than about seven seconds of computational time. 

26. The puzzle creator of claim 22 further executing the 
steps of: 

receiving a request from the sender of the dig- 
ital object; 

transmitting the identifier, timestamp, puzzle 
and solution to the sender. 

27. The puzzle creator of claim 26 further executing the 
step of: 

receiving payment from the sender of the digital 
object. 

28. A method for canceling cryptographic puzzles, the 
puzzles associated with identifiers, for use in a dig- 
ital delivery system comprising at least one data- 
base in connection with a first cancellation server 
and an intended recipient of a digital object includ- 
ing a cryptographic puzzle, the method comprising 
the steps of: 

receiving the identifier associated with the re- 
cipient's puzzle; 

querying the at least one database with the 
identifier; and 

canceling the intended recipient's puzzle if the 
query fails, by causing an entry to be stored in 
the at least one database, 

wherein the entry comprises the identifier or infor- 
mation derived from the identifier. 



of causing an entry to be removed from the data- 
base if its timestamp falls outside a threshold range. 

31 . The method of claim 28 further comprising the step 
5 of providing data in the at least one database to a 

second cancellation server. 

32. The method of claim 28 further comprising the step 
of querying an at least one database associated 

10 with a second cancellation server. 

33. The method of claim 32 wherein the first cancella- 
tion server and the second cancellation server com- 
municate through a peer-to-peer network. 

15 

34. The method of claim 28 wherein the first cancella- 
tion server corresponds to a range of values for a 
distributed hash table, and the identifier is hashed 
to a value within the range. 

20 

35. The method of claim 28 wherein the digital object is 
an electronic mail message. 

36. A computer-readable medium including computer- 
25 executable instructions facilitating the cancellation 

of cryptographic puzzles, the puzzles associated 
with identifiers, for use in a digital delivery system 
comprising at least one database in connection with 
a first cancellation server and an intended recipient 
30 of a digital object including a cryptographic puzzle, 
said computer-executable instructions executing 
the steps of: 

receiving the identifier associated with the re- 
35 cipient's puzzle; 

querying the at least one database with the 
identifier; and 

canceling the intended recipient's puzzle if the 
query fails, by causing an entry to be stored in 
40 the at least one database, 

wherein the entry comprises the identifier or infor- 
mation derived from the identifier. 

45 



29. The method of claim 28 wherein the puzzles are fur- 50 
ther associated with timestamps, the method fur- 
ther comprising the step of receiving the timestamp 
associated with the recipient's puzzle, and wherein 

the entry to be stored in the at least one database 

if the query fails further comprises the timestamp or 55 

information derived from the timestamp. 

30. The method of claim 29 further comprising the step 
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